JSON Web Tokens (JWTs) are a popular option in the authentication space, but there are some inherent risks. While you gain flexibility by using a JWT, you lose the ability to revoke a token once it’s issued. To minimize the time between an administrator locking a user account and the time at which a previously issued token expires, the JWT should be short lived. This time window, while designed to be brief is a common security concern. Traditional solutions to this problem defeat the benefits of using a portable identity. Inversoft has come up with a novel way to solve this issue in a complementary method. Brian Pontarelli will cover how to implement this JWT revoke strategy to reduce the vulnerability window.

Join Brian Pontarelli in this live coding event on Jul 27, 2017 2:00 PM, Eastern Time (US and Canada). Brian Pontarelli is the CEO of Inversoft, a Denver-based company that allows developers to offload their authentication, authorization and user management needs. Before Brian bootstrapped Inversoft, he studied computer engineering at the University of Colorado Boulder. After graduating, he worked at a variety of companies including Orbitz, US Freightways, XOR and Texturemedia.

"ISAM 9.0.2 introduces a new, highly flexible authentication mechanism to the authentication service known as InfoMap. This new mechanism allows rich and sophisticated authentication logic to be built by using server-side JavaScript and client-side HTML page templates. The server-side JavaScript is able to leverage ISAM-specific platform APIs (similar to federation mapping rules), such as account-linking functions, an HTTPS client, and temporary and expirable storage."

In addition, the authors provide you with the resources you need to recreate the steps with the popular social media sites, LinkedIn and Instagram. Comment if you recreated the steps!

The different options within Bluemix bear diverse requirements to the authentication of users. This new article explains the various possibilities on how Bluemix users are managed and authenticated. The authentication covered in this article focuses on users of the Bluemix platform, i.e., developers, administrators, or operators. Applications running on top of Bluemix can use any authentication method that is appropriate for the application’s purpose.

Another tutorial we recently published, Create a security-based and machine-learning front end, teaches you how to create a security front end that automatically learns the proper format for application inputs. Where human error fails to cover all bases, your front end will greatly reduce the risk that applications face.

In this new tutorial, the Guardium team describes how you can audit and keep track of privileged users and how they might be compromised. This tutorial combines the power of Guardium with IBM Security Privileged Identity Manager so that you can start building a secure immune system.

You'll learn the benefits of fusing Guardium with PIM, the solution architecture, and how you can enhance reports with data configured from PIM.

I'm happy to announce that we have just published a new article regarding the new function AppScan Standard integrated with Application Security on Cloud.AppScan Standard 9.0.3.5 can integrate with Application Security on Cloud (ASoC). It is now possible to upload scans and templates (SCAN or SCANT files) to Application Security on Cloud to run scans.This article will introduce how to configure and run a scan in AppScan Standard to Application Security on Cloud.

Increasing demand from today’s employees for a flexible experience that affords them the option to use the mobile technology of their choosing has disrupted traditional approaches to IT management and security.As a first response, it’s not uncommon for companies to launch bring-your-own-device (BYOD) initiatives. However, these programs become more difficult to scale the more they include a larger percentage of the workforce, more corporate apps, and increased access to enterprise data and resources. It’s clear that BYOD is here to stay, and the expansion of use cases for mobile are continuing to bolster business growth. However, the role of enterprise IT must advance alongside these new trends to enable a more secure mobile workforce that is well equipped to respond to customer needs on their own terms.

Rolling out large enterprise software across any organization requires a smart infrastructure plan and an eye towards future scalability if the deployment is going to be a success. With IBM BigFix Software, there are some specific challenges that need to be met when designing a deployment from a performance perspective. Here is how one team within IBM faced a performance challenge and solved it using a smart infrastructure plan.

Shadow IT refers to the information technology solutions used inside an organization without the explicit approval of the organization. In recent years, the advent of cloud computing has made it easier for employees to circumvent IT department and use a variety of cloud applications without the knowledge or approval of the organization. Despite the high visibility of recent data breaches, most employees still choose to use cloud services to be able to do their job more efficiently. In a study conducted by IBM Security, it was found that 1 in every 3 Fortune 1000 employees regularly saves and shares company data to third- party cloud-based platforms that are not explicitly approved by their organization [1]. This figure is expected to increase as the workplace demographic starts to change and millennials who are greater users of cloud applications [2] make up more and more of the workforce.

In this tech note, the authors' purpose is to provide best practices on the topic of enabling DB2 native encryption in an HADR environment. Additionally, the note provides a simplified set of working steps, with examples. These steps are designed to minimize the downtime at the database service.

In his new article, Yang Qi demonstrates how you can apply the Node.js application ot the new enhancements of the Auto-Scaling for Bluemix® service.

So what does this mean for security enthusiasts? It means that you can actually improve the elasticity of your applications with the features on the Auto-Scaling service. It means that you can customize your policy and automatically increase or decrease the CPU threshold, thus maintaining a healthy condition without wasting resources.

This tutorial also shows you just how easy it is to utilize the new metric types, heap and throughput.

This workbook contains a series of lab exercises to introduce you to JK Enterprises, which uses the features of IBM Security Identity Manager virtual appliance 7.0.1.3.

The objective of the lab exercises is to provide you with hands-on experience with the configuration and operation of IBM Security Identity Manager 7.0.1.3.

The workbook is designed to complement the presentations that cover each of the features. More detailed information on IBM Security Identity Manager 7.0.1.3 features and functions are found in these presentations. More information is also available in the product documentation on IBM Knowledge Center.

We've all been hearing more and more about BigFix®. If you're an IBM BigFix administrator, you'll want to read on. (Even if you're not, you'll find this interesting!). Here, we have an article from Marco Mattia where he outlines Virtual Relays and the instructions on how to use the this feature. You'll learn the benefits and advantages as well to using a BigFix Virtual Relay.

Ever experienced a situation like this image of numerous tests and heavy server load? Minimize time wasted on "noise."

Common false positives waste developers' time and energy--with this new tutorial by by Akash Shetty and others, you can root out those common problems.

IBM Security AppScan® is an automated web application security assessment tool that identifies prominent security vulnerabilities, including OWASP Top Ten and SANS 25 vulnerabilities. The tool also provides detailed reports on security issues along with advisory and fix recommendations. With the help of this tutorial, AppScan users can significantly reduce the number of false positives reported.

In this tutorial, author Madhusudhan Rajappa shows you an effective way of conducting a vulnerability assessment of the web applications and network of any organization. This tutorial also shows how to proactively defend the organization from cyber attacks by using a combination of enterprise-grade and trustworthy vulnerability scanners. The scanners that will be discussed in this tutorial are the Tenable™ Nessus® Scanner and the IBM AppScan® Enterprise. Read on for step-by-step instructions to implement a vulnerability assessment by using each of those scanners.

In this blog post, Mark Leitch demonstrates the BigFix® Query capability and the topology "power" of the infrastructure.

IBM BigFix is a powerful security product able to manage hundreds of thousands of endpoints. BigFix has recently delivered the BigFix Query capability, offering more insight and control over your business. We will give an introduction to BigFix Query, and then demonstrate how it leverages the time tested and field proven BigFix infrastructure to provide impressive results at scale! To read more about this topic, read the blog post in full here:

In this lab configuration guide, authors Smita Kale, Bosko (Boli) Popovic and Vladimir Jeremic walk you through how to set up the lab environment when demonstrating an integration use case.

The IBM Security products that are used to manage user activity on the network video focuses on using IBM XGS, Identity Manager, and Directory Integrator to control user access. The video is available at: https://vimeo.com/166064140.

The Lab Configuration Guide describes the configuration settings necessary for each of the IBM products used in the scenario that is demonstrated in the video. The video assumes that the initial setup was performed for the XGS, Identity Manager, and Directory Integrator products. This guide describes the configuration sets needed to enable the product integration for delivering the end user experience described in the video.

The configuration files needed for Identity Manager are also included, as well as the custom XGS adapter in a .jar package. All assembly lines are included.

Check out this article from authors Jia Li Chen, Wei Wei Zhang, and Cheng-Yu Yu on how to retrieve deleted templates in AppScan.

In AppScan Enterprise, there are 14 default scan templates installed within the product. However, users may delete default templates in the console by mistake. Learn two methods to retrieve default templates in AppScan Enterprise.